diff --git a/admin/start.sh b/admin/start.sh
index f0a87a45..afe276be 100755
--- a/admin/start.sh
+++ b/admin/start.sh
@@ -1,4 +1,4 @@
 #!/bin/sh
 
 python manage.py db upgrade
-gunicorn -w 4 -b 0.0.0.0:80 --access-logfile - --error-logfile - mailu:app
+gunicorn -w 4 -b 0.0.0.0:80 --access-logfile - --error-logfile - --preload mailu:app
diff --git a/nginx/Dockerfile b/nginx/Dockerfile
index 906f43b9..12dcb11f 100644
--- a/nginx/Dockerfile
+++ b/nginx/Dockerfile
@@ -1,8 +1,8 @@
 FROM nginx:alpine
 
-RUN apk add --update nginx-lua && rm -rf /var/cache/apk/*
+RUN apk add --update nginx-lua openssl && rm -rf /var/cache/apk/*
 
-COPY nginx.conf /etc/nginx/nginx.conf
+COPY nginx.conf.default /etc/nginx/nginx.conf.default
 COPY nginx.conf.fallback /etc/nginx/nginx.conf.fallback
 
 COPY start.sh /start.sh
diff --git a/nginx/nginx.conf b/nginx/nginx.conf.default
similarity index 100%
rename from nginx/nginx.conf
rename to nginx/nginx.conf.default
diff --git a/nginx/nginx.conf.fallback b/nginx/nginx.conf.fallback
index 0e12bff7..bf5cd869 100644
--- a/nginx/nginx.conf.fallback
+++ b/nginx/nginx.conf.fallback
@@ -19,6 +19,23 @@ http {
 
     server {
       listen 80;
+      listen 443 ssl;
+
+      # TLS configuration hardened according to:
+      # https://bettercrypto.org/static/applied-crypto-hardening.pdf
+      ssl_protocols TLSv1.1 TLSv1.2;
+      ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
+      ssl_prefer_server_ciphers on;
+      ssl_session_timeout 5m;
+      ssl_session_cache shared:SSL:50m;
+      ssl_certificate /tmp/snakeoil.pem;
+      ssl_certificate_key /tmp/snakeoil.pem;
+
+      add_header Strict-Transport-Security max-age=15768000;
+
+      if ($scheme = http) {
+        return 301 https://$host$request_uri;
+      }
 
       location /.well-known/acme-challenge {
         proxy_pass http://admin:8081;
diff --git a/nginx/start.sh b/nginx/start.sh
index 7c17c2be..2cb65f1a 100755
--- a/nginx/start.sh
+++ b/nginx/start.sh
@@ -1,6 +1,11 @@
 #!/bin/sh
 
-if [[ ! -z ENABLE_CERTBOT && ! -f /certs/cert.pem ]]; then
+if [[ -z ENABLE_CERTBOT || -f /certs/cert.pem ]]
+then
+  cp /etc/nginx/nginx.conf.default /etc/nginx/nginx.conf
+else
+  openssl req -newkey rsa:2048 -x509 -keyout /tmp/snakeoil.pem -out /tmp/snakeoil.pem -days 365 -nodes -subj "/C=NA/ST=None/
+L=None/O=None/CN=$DOMAIN"
   cp /etc/nginx/nginx.conf.fallback /etc/nginx/nginx.conf
 fi